Turns out there is a way. It seems to be a recent addition, as it wasn’t in the documentation I looked at originally.
[nss] allowed_shells = * shell_fallback = /bin/bash The semantics of allowed_shells is kind of interesting. * any shell in /etc/shells is OK * any shell is allowed_shells but not in /etc/shells get replaced by the fallback * if allowed_shells isn’t set, any shell is used, even if it doesn’t exist So setting allowed_shells to * does what you’d want: any shell in /etc/shells is OK. Otherwise you getter the fallback. * as a possible value is relatively new. This is really what I’d expect default behavior to be if allowed_shells isn’t set. > On Jan 26, 2018, at 8:20 AM, Robbie Harwood via FreeIPA-users > <email@example.com> wrote: > > Rob Crittenden via FreeIPA-users <firstname.lastname@example.org> > writes: > >> Charles Hedrick via FreeIPA-users wrote: >> >>> One of my staff made a typo in his shell in “ipa user-mod —shell” It >>> can be hard to recover from, since you can’t login. >>> >>> Is there a way to restrict what they can use? Traditionally only >>> shells in /etc/shells were valid. >> >> There is no way currently. >> >> Note that part of the problem is which /etc/shells to use? Remember >> that IPA is centralized and users may be using a number of different >> operating systems. This is why the default shell is /bin/sh, because >> it is nearly universal. > > At the very least, it would be good to restrict it to /etc/shells on the > current machine. Doesn't cover everything, but it's an improvement. > > Thanks, > --Robbie > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org